Publication: A Model Extraction Attack on Deep Neural Networks Running on GPUs
| dc.contributor.advisor | Sandip Kundu | |
| dc.contributor.author | O'Brien Weiss, Jonah G | |
| dc.contributor.department | University of Massachusetts Amherst | |
| dc.contributor.department | Electrical & Computer Engineering | |
| dc.date | 2023-11-02T21:44:32.000 | |
| dc.date.accessioned | 2024-04-26T18:12:11Z | |
| dc.date.available | 2024-04-26T18:12:11Z | |
| dc.date.submitted | May | |
| dc.date.submitted | 2023 | |
| dc.description.abstract | Deep Neural Networks (DNNs) have become ubiquitous due to their performance on prediction and classification problems. However, they face a variety of threats as their usage spreads. Model extraction attacks, which steal DNN models, endanger intellectual property, data privacy, and security. Previous research has shown that system-level side channels can be used to leak the architecture of a victim DNN, exacerbating these risks. We propose a novel DNN architecture extraction attack, called EZClone, which uses aggregate rather than time-series GPU profiles as a side-channel to predict DNN architecture. This approach is not only simpler, but also requires less adversary capability than earlier works. We investigate the effectiveness of EZClone under various scenarios including reduction of attack complexity, against pruned models, and across GPUs with varied resources. We find that EZClone correctly predicts DNN architectures for the entire set of PyTorch vision architectures with 100\% accuracy. No other work has shown this degree of architecture prediction accuracy with the same adversarial constraints or using aggregate side-channel information. Prior work has shown that, once a DNN has been successfully cloned, further attacks such as model evasion or model inversion can be accelerated significantly. Then, we evaluate several mitigation techniques against EZClone, showing that carefully inserted dummy computation reduces the success rate of the attack. | |
| dc.description.degree | Master of Science in Electrical and Computer Engineering (M.S.E.C.E.) | |
| dc.identifier.doi | https://doi.org/10.7275/35614344 | |
| dc.identifier.orcid | https://orcid.org/0009-0005-4119-7887 | |
| dc.identifier.uri | https://hdl.handle.net/20.500.14394/32978 | |
| dc.relation.url | https://scholarworks.umass.edu/cgi/viewcontent.cgi?article=2386&context=masters_theses_2&unstamped=1 | |
| dc.rights.uri | http://creativecommons.org/licenses/by/4.0/ | |
| dc.source.status | published | |
| dc.subject | model extraction | |
| dc.subject | adversarial machine learning | |
| dc.subject | machine learning | |
| dc.subject | side-channel attack | |
| dc.title | A Model Extraction Attack on Deep Neural Networks Running on GPUs | |
| dc.type | openaccess | |
| dc.type | article | |
| dc.type | thesis | |
| digcom.contributor.author | isAuthorOfPublication|email:jgow98@gmail.com|institution:University of Massachusetts Amherst|O'Brien Weiss, Jonah G | |
| digcom.identifier | masters_theses_2/1293 | |
| digcom.identifier.contextkey | 35614344 | |
| digcom.identifier.submissionpath | masters_theses_2/1293 | |
| dspace.entity.type | Publication |
Files
Original bundle
1 - 1 of 1
No Thumbnail Available
- Name:
- O_Brien_Weiss.pdf
- Size:
- 4.48 MB
- Format:
- Adobe Portable Document Format